• No results found

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Introduction to

Runtime Application

Self Protection (RASP)

Making Applications Self Protecting,

Self Diagnosing and Self Testing

(2)

The security industry is belatedly realizing that existing security mechanisms are becoming less and less effective, and that attacks and breaches are now commonplace.  Many security vendors now talk as if breaches are inevitable, and that organizations should build robust Incident Response capability to  minimize their adverse affects.  Why is this? 

Partly it's due to the emergence of the cloud and mobility and the plethora of ways that data is created, shared and stored. Data is becoming harder to lock down and secure.  

But it’s also due to a misplaced confidence that ever more sophisticated perimeter and network security can protect organizations from attack.  It’s estimated that 95% of security spend is on traditional security controls such as network and endpoint security, and security spend has risen rapidly in most organizations over the past few years.

Yet the breaches keep on coming.  The important

question is “where are the breaches occurring?”.  According to Gartner, over 80% of security breaches

The cyber security landscape has become increasingly complex in recent years. Threats include

hackers motivated by non-commercial considerations, as well as sophisticated cyber-criminal

gangs and even the intelligence services of foreign nations. Cyber security has been designated

the Number 1 threat facing the United States, and other leading economies face similar threats

and concerns. Among the high profile hacking cases in just the last 12 months are major

corporations such as Target, the US’s 2nd largest retailer; the Wall Street Journal, arguably its

most important publication; JPMorgan Chase, its largest bank; and EBay, Amazon and the Apple

Cloud, three of the most important e-Commerce services.

Changes in the cyber security landscape

occurred via the application layer.  Applications are the gateway to the data (typically stored in databases), they provide access and context to data.  Yet firewalls (including Next Generation Firewalls) , IPS devices and endpoint security protect against attack at the  network  or  host  layer, not the application layer.

So if applications are the target, what protects them against attack?  Web Application Firewalls?  Yet these are also network based and have no  contextual awareness of an application, so how are they supposed to protect them if they don’t speak the same language?  Until now there’s been remarkably little protection for applications.  The nascent application security market is dominated by vendors that provide application testing tools (eg. Static/ Dynamic Application Security Testing) and  penetration/ vulnerability testing, who identify weaknesses and vulnerabilities within an organization's defenses.  

But whilst providing valuable assistance in reducing risk, neither of these can remediate vulnerabilities or actually protect against attacks.

(3)

An example analogy:

If someone breaks into your home and steals the family jewels from a safe hidden behind a picture in your bedroom, you can view the exploit as being based on the fact that they were able to breach your perimeter defenses e.g. your garden gate or wall; the door to your house or access via a window; entering the bedroom and discovering the safe etc. Or you can view the exploit as being based directly on the fact that they were able to break open the safe, irrespective as to how they gained access to your home. For instance, someone who had legitimate access e.g. a cleaner or gardener who would not have been

able to steal your jewels unless they could crack the safe. In this analogy, the perimeter is your security defenses. The safe is the application layer because this is ultimately where the family jewels are stored.

Why is Application Security Important?

v

The application layer is where the real damage is done in 80% of cases.*

v

Perimeter defenses (i.e. web firewall) have proven to be inadequate for stopping sophisticated hackers, cyber-criminals and foreign agencies from penetrating the perimeter.

v

The perimeter itself has become porous due to major trends such as:

Ø

'Bring your own device' (“BYOD”) and pervasive modern work practices which require remote connection to key applications; and

Ø

The integration of enterprise servers with e-Commerce customer distribution and supply chains.

v

Modern software applications normally utilize many software imports, none of which have been written by the programmer, but which ultimately constitute more than 90% of the software application.**

Ø

In addition, software packages written by 3rd parties will generally be a black box in that the client operating the software will not have access to the source code.

v

Cyber security defenses have historically focused on a subsection of the landscape, typically client facing web applications or other applications with the largest potential damage to corporate reputation or actual monetary loss. With increasingly sophisticated attacks, the penetration of any application on a corporate network can lead to lateral attacks or long term 'sleeping agents’/ spies which are very difficult to protect against if the application remains vulnerable.

* Source: Gartner

(4)

Runtime Application Self Protection (RASP) a new type of

defense

Which is why we have seen the emergence of a new type of application security category that Gartner has named RASP - Runtime Application Self Protection. 

A true RASP technology should have:

v

Deep visibility into applications, and the ability to

monitor and block attacks. 

v

Critically, it should also be non invasive, requiring no changes to application code.

v

Should be transparent to both the application owner and the user. 

v

There should be no noticeable latency. 

v

It should automatically remediate vulnerabilities found in testing tools, and provide application profiling and hardening. 

v

It should also provide a granular feedback loop that gives valuable real-time insight as to which

applications are being attacked, by whom, and how.  

v

A true RASP technology will radically reduce the attack vector of applications, and at the same time drive down costs by providing for automatic remediation of vulnerabilities.

v

A true RASP technology will enable you to move your applications to the cloud, safe in the knowledge that they’re protected as well (or better) as they would be on your network.

If a technology can do all that, then it's probably time you got serious about Application Security.

“Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority.”*

(5)

*Gartner Maverick Research: Stop Protecting Your Apps; Its Time For Apps To Protect Themselves. Joseph Feiman, 25th September 2014

Gartner Maverick* Research:

Stop Protecting Your Apps;

Its Time For Apps To Protect

Themselves

On 25 September 2014 Joseph Feiman, VP and Gartner Fellow, published a paper entitled 'Stop Protecting Your Apps;

Its Time for Apps to Protect Themselves’*. In this report

Feiman advocates the necessity of new technologies, which will enable applications to protect themselves at run-time, i.e. as they operate live, and not to be dependent on external defenses such as firewalls which may or may not have been able to inhibit attacks. In 2015 this paper was voted

‘Maverick’ Status by the other Gartner Analysts.

Some of the Report findings:

“Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks.”

“Perimeter protection technologies cannot protect against behind-the-perimeter insider attacks, which are as devastating as outsider attacks.”

“Perimeter protection technologies cannot protect what ceases to exist — the perimeter, which dissipates in the mobile, consumer-oriented and cloud-oriented world.”

“Technologies and services that we use to test and diagnose our applications for security vulnerabilities fail to scale to test all applications and to test them with the necessary accuracy. There are too many apps, testing skills are scarce, and tools are too complex and inaccurate.”

And Report Recommendations:

“Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection.” “Build and buy applications, systems, and IoT devices capable of self-protection. Review existing offerings and plan for adoption.”

“The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications:

Our application security testing strategy fails because there are too many applications, application security testing skills are too scarce, testing tools are too complex, and their accuracy is not sufficient.”

(6)

Making Applications Self Protecting, Self Diagnosing and Self Testing

www.waratek.com

waratek

References

Download now ( PDF - 6 Page - 2.05 MB )

Related documents

Awareness of sustainable development at CUT

The study presents the results from a project that was aimed at determining the level of awareness and understanding of sustainable development at Central University of

Rillito River Historic Communities Binghampton

One of these was a pioneer Mormon settlement that included farms just north of the River bend and the more urban settlement of Binghampton (pronounced bing-hámp-ton), south of

Gerando redes de conhecimento a partir de descrições de fenótipos

They synthesized the current scenario related to the description of organisms (cf. Figure 1.4), organizing the existing approaches in a series of progressive layers: (1)

NAMA:... Tingkatan :... BAHAGIAN PENGURUSAN SEKOLAH BERASRAMA PENUH DAN SEKOLAH KECEMERLANGAN KEMENTERIAN PELAJARAN MALAYSIA

iv) The arrangement of the apparatus. v) The procedure of the experiment which should include one method of controlling the manipulated variable and one method of measuring the

Web-based Assessment in Teaching and Learning Management System (e-atlms)

Madam Nora is a Science Teacher aged 33 years old. She has taught science for 8 years. She never exposed to on-line learning before and had used this e-ATLMS in her teaching

Effect of urban street canyon aspect ratio on thermal performance of road pavement solar collectors (RPSC)

Findings of this study showed that the canyon aspect ratio had a significant impact on the temperature distribution of the ground surface and should be taken into consideration

Lincolnshire County Council Civil Parking Enforcement Report 2016 to 2017

Lincolnshire adopted Civil Parking Enforcement (CPE) in December 2012, when the powers to enforce nearly all parking and waiting restrictions were handed over from the Police to

Convenience/Personalization Guide

2 Adjustable Pedals Switch♦ Exterior Lamps Control Cruise Control/ Phone/Heated Steering Wheel♦ Buttons Instrument Cluster/Driver Information Center Hazard Warning Flashers